Information Security Policy

1 PURPOSE

The purpose of this policy is to provide guidance and support for information security management in accordance with the requirements of medical activity and applicable regulations.

This policy contains a description of key elements, both human and organizational, technological and documentary, that ASCIRES Grupo Biomédico (hereinafter ASCIRES) applies to protect information, and especially personal data, preventing security incidents that endanger them.

At all levels of ASCIRES, the real and effective application of the prevention and control measures provided for in this policy will be ensured, so that this management system achieves the elimination or reduction of behaviors that may endanger the security of information assets and personal data processed by ASCIRES.

This policy will be adapted to the technological and legislative changes that occur. in the future.

2 OBJECTIVES, MISSION AND SERVICES PROVIDED BY ASCIRES

ASCIRES' fundamental objective is to provide patients with precision diagnostic services, radiotherapy treatments, nuclear medicine, as well as specialized and personalized care in medical consultations with outpatient surgery.

The vocation for the patient, the passion for technological innovation and the humanization of treatment are the hallmarks shared by ASCIRES. Due to its technology and the number of patients treated annually, ASCIRES is the pioneering biomedical group in Spain in Diagnostic Imaging and Nuclear Medicine, as well as a benchmark in Radiotherapy Oncology.

ASCIRES, within its scope of action, provides services related to activity within the healthcare sector.

This means that its main assets are intangible in nature and are mainly made up of confidential information, such as patient medical information or information related to scientific research, personal data, intellectual property, industrial property, among others.

The intangible nature of this type of assets makes them very vulnerable to internal and external threats such as unauthorized access, unauthorized copying, disclosure, transfer to third parties, unauthorized use, unauthorized exploitation and even destruction.

The protection of information assets requires a series of legal, technical and organizational measures that are summarized in this policy and detailed in the rules and procedures of ASCIRES.

3 SCOPE OF APPLICATION

This policy applies to the following areas of ASCIRES:

• Corporate scope: From now on, the set of companies and entities adhering to this policy will be referred to interchangeably as ASCIRES or as the companies. Specifically, it is applicable to the following companies:
• Personal scope: this policy is applicable to all levels of ASCIRES, including the administrative bodies, management positions, control bodies and all personnel serving ASCIRES.
• Relational scope: the scope of application of this policy will extend, to the extent possible, to ASCIRES suppliers, distributors and customers. In the event that this is not possible, contracting will be limited to companies that have policies with a similar level of protection or contractual conditions regarding patterns of conduct, preventive measures and control systems regarding information security will be imposed.
• Geographical scope: this policy will apply to public and private relations that ASCIRES establishes in any geographical area, both local and international.

Based on the above, and taking into account the requirements applicable to ASCIRES in terms of security, the following formal scope is established, which defines the areas that must comply with the specifications of the National Security Scheme:

“The information systems that support the radiodiagnostic and nuclear medicine services that support healthcare and non-healthcare processes and activities in accordance with the current categorization document.”

4 REGULATORY FRAMEWORK

4.1 EXTERNAL DOCUMENTATION

National and European:

Guides and standards:

Registry of applicable Guides: “Control Guides Applicable”.

4.2     INTERNAL DOCUMENTATION

Ascires Protection Policy.

5 JUSTIFICATION OF THE INFORMATION SECURITY POLICY

The objective of information security is to guarantee the quality of the information and the continued provision of services, acting preventively, monitoring daily activity and reacting diligently to incidents.

The systems managed by ASCIRES must be managed diligently, taking appropriate measures to protect them against accidental or deliberate damage that may affect the availability, integrity or confidentiality of the information processed or the services provided.

To defend against these threats, a strategy is required that adapts to changes in the conditions of the ASCIRES environment and thus guarantee the continued provision of services. services.

6 SECURITY IN CERTAIN AREAS OF ASCIRES

Certain areas that make up ASCIRES must apply the minimum security measures required by the National Security Scheme, since they provide services to the Public Administration, as well as continuously monitor the levels of service provision, follow and analyze reported vulnerabilities, and prepare an effective response to incidents to ensure the continuity of the services provided.

The different departments must ensure that security in information systems is an integral part of each stage of the system's life cycle, from its conception to its withdrawal from service, including development or acquisition decisions and exploitation activities.

The departments must be prepared to prevent, detect, react to and recover from security incidents, in accordance with Article 8 of the ENS.

7 PRINCIPLES AND OBJECTIVES OF INFORMATION SECURITY

The objectives of ASCIRES in terms of information security are aligned with those of medical activity, giving priority to compliance with the legal obligations that are applicable to the activity carried out.

Compliance with the General Data Protection Regulation of the European Union and the regulations regarding the protection of personal data in force in the countries in which ASCIRES operates is considered a priority objective of information security.

At all levels of ASCIRES there will be a commitment to comply with the objectives set in terms of information security and to apply the established controls.

The ASCIRES security strategy will comply with the principles of confidentiality, integrity, availability, authenticity and traceability of information.

The principle of confidentiality guarantees that information is only accessible to users authorized to access it and that it cannot be disclosed to third parties without the corresponding authorization.

The principle of integrity guarantees that data will be kept free from unauthorized modifications and that existing information has not been altered by unauthorized persons or processes.

The principle of availability guarantees that information will be accessible and usable on a constant basis, ensuring the continuity of processes and medical activity. This principle is linked to the principle of resilience, which consists of ensuring the ability of systems and information to recover after an incident that prevents temporary access to them.

The principle of authenticity guarantees that the origin and identities associated with the information are really those that appear in its attributes. This principle is linked to the principle of non-repudiation, which consists of ensuring that a user cannot deny the authorship of an act in the system or the link to a piece of data or set of data.

The principle of traceability guarantees the possibility of determining at any time the identity of the people who access the information and the activity they carry out in relation to it, as well as the different states and routes that the information has followed.

A principle of proportionality will be applied between the controls to be applied and the severity of the risk to be prevented, detected or mitigated.

In new services and developments, the principle of security by design and by default will be applied.

All roles and responsibilities will be differentiated and assigned individually in the job description. In addition to this individualized assignment, all persons belonging to ASCIRES, regardless of the level, will be obliged to comply with the rules, procedures and controls established in terms of information security.

The highest authority for control in terms of information security will correspond to the administrative body, which will be supported by the Data Protection and Information Security Committee, which includes the Chief Information Security Officer (CISO), who will be responsible for ensuring compliance with this policy and reporting any relevant issue to the Committee.

ASCIRES may develop rules and procedures that develop, specify and detail the control measures indicated in this policy.

8 SECURITY ORGANIZATION

8.1 DEFINITION OF ROLES AND RESPONSIBILITIES

When managing In terms of information security, ASCIRES has taken international standards such as ISO 27001 as a reference; however, considering that ASCIRES also provides specific services to the Public Administration, the provisions of the National Security Scheme are also applied.

In accordance with article 12.1 of Royal Decree 311/2022, of May 3, which regulates the National Security Scheme, clear persons responsible for ensuring compliance with the Security Policy must be identified and must be known by all members of ASCIRES.

ASCIRES will adopt the necessary measures so that staff are comprehensible about the security regulations that affect the development of their functions, as well as the consequences that could be incurred in the event of non-compliance.

* The following roles are established in ASCIRES related to Information Security:

8.2    RESPONSIBILITIES THAT CORRESPOND TO EACH ROLE:

• Service Manager:

The Service Manager has the following associated functions:

Establishes the security requirements of the services. Within the framework of the ENS, it is equivalent to the power to determine the security levels of the Service.

• The Service Manager has the ultimate responsibility for the use made of certain services and, therefore, for their protection.
• The Service Manager is ultimately responsible for any error or negligence that leads to an incident of availability of the services.
• He will determine the security levels in each dimension of the service.
• Although the formal approval of the levels corresponds to the Service Manager, he may request a proposal from the Security Manager and it is advisable to listen to the opinion of the System Manager.
• The provision of a service must always meet the security requirements of the information it handles, so that the security requirements of this can be inherited, adding availability requirements, as well as others such as accessibility, interoperability, etc.
• Service Manager Information:

The person responsible for the Information System has the following associated functions:

He has the ultimate responsibility for the use made of certain information and,

therefore, for its protection.

• The person responsible for the Information is ultimately responsible for any error or negligence that leads to an incident of confidentiality of integrity.

• He establishes the requirements for information in terms of security. Within the framework of the ENS, it is equivalent to the power to determine the levels of information security.

• It will determine the levels of security in each dimension within the framework established in Annex I of the National Security Scheme.

• Although the formal approval of the levels corresponds to the Information Manager, it may request a proposal from the Security Manager and it is advisable to listen to the opinion of the System Manager.

• Security Manager:

The Information Security Manager has the following associated functions:

• He will report directly to the Data Protection and Information Security Committee.

• He will act as Secretary of the Data Protection and Information Security Committee. Information.

• It will convene the Data Protection and Information Security Committee, collecting the relevant information.

• It will maintain the security of the information handled and the services provided by the information systems in its area of ​​responsibility, in accordance with the provisions of this Security Policy.

• It will promote training and awareness in matters of information security within its area of ​​responsibility.

• It will be the specialized point of contact for coordination with the reference CSIRT.

• It will act as a trainer of good practices in security of networks and information systems, both in physical and logical aspects.

• It will compile the security requirements of the Information and Service Managers and determine the category of the System.

• Carry out the Risk Analysis.

• Prepare a Declaration of Applicability based on the security measures required and the result of the Risk Analysis.

• Provide the Information Manager and the Service Manager(s) with information on the level of residual risk expected after implementing the treatment options selected in the risk analysis and the security measures required by the ENS.

• Coordinate the preparation of the System Security Documentation.

• Participate in the preparation, within the framework of the Data Protection and Information Security Committee, of the Information Security Policy, for approval by Management.

• Participate in the preparation and approval, within the framework of the of the Data Protection and Information Security Committee, of the Information Security regulations.

• It will prepare and approve the Information Security Operating Procedures.

• It will periodically provide the Data Protection and Information Security Committee with a summary of actions in the area of ​​security, of incidents related to information security and of the security status of the system (in particular the level of residual risk to which the system is exposed).

8.4      DATA PROTECTION AND INFORMATION SECURITY COMMITTEE

This is the body that coordinates Information Security at an internal level at ASCIRES.

It will be made up of the Service Manager, the Security Manager, the Information Manager and the System Manager.

Likewise, the DPO and the Legal Department Director will be integrated into the Data Protection and Information Security Committee, whose functions are detailed in the Data Protection Policy.

The Data Protection and Information Security Committee will have the following functions: 

• Coordinate all security functions at ASCIRES.

• Address the concerns of Senior Management and the different departments.

• Regularly report on the status of information security to Senior Management.

• Coordinate the preventive function of the prevention model and will have autonomous powers of initiative and control.

• Promote the continuous improvement of the Information Security Management System.

• Develop the strategy for the evolution of ASCIRES with regard to information security.

• Coordinate the efforts of the different areas in terms of information security, to ensure that efforts are consistent, aligned with the strategy decided on in this area, and avoid duplications.

• Develop (and regularly review) the Information Security Policy for approval by the Management.

• Approve information security regulations.

• Develop and approve training and qualification requirements for administrators, operators and users from the information security perspective.

• Monitor the main residual risks assumed by ASCIRES and recommend possible actions regarding them.

• Monitor the performance of security incident management processes and recommend possible actions regarding them. In particular, ensure the coordination of the different security areas in the management of information security incidents.

• Promote the performance of periodic audits to verify compliance with the organization's obligations in terms of security.

• Approve ASCIRES information security improvement plans.

• In particular, ensure the coordination of different plans that can be carried out in different areas.

• Ensure the alignment of security activities and ASCIRES objectives.

• Ensure compliance with applicable legal regulations.

• Ensure that information security is taken into account in all information and communications technology projects from their initial specification to their implementation. In particular, it must ensure the creation and use of horizontal services that reduce duplication and support the homogeneous operation of all ICT systems.

• The Steering Committee is responsible for resolving any conflicts of responsibility that may arise between the different managers and/or between different areas of ASCIRES, raising those cases in which it does not have sufficient authority to decide.

• Coordinate the continuity plans of the different areas to ensure seamless operation in the event that they must be activated.

• Prepare the Security Policy, which will be approved by Senior Management.

• Coordinate and approve the proposals received for projects in the different areas of security. The security managers will be responsible for carrying out regular monitoring and presentation of the progress of the projects and announcing possible deviations.

• Request regular reports from Security Officers on the security status of ASCIRES and possible incidents. These reports are consolidated and summarized for Senior Management.

• Coordinate and respond to concerns transmitted through Security Officers.

• Define, within the Security Policy, the assignment of roles and the criteria to achieve the guarantees that are deemed pertinent in relation to the segregation of functions.

The Security Officer will assume the functions of the secretariat of the Data Protection and Information Security Committee, which will be those detailed below:

• Convene meetings of the Data Protection and Information Security Committee.

• Prepare the topics to be discussed at the Committee meetings, providing timely information for decision-making.

• Prepare the minutes of the meetings.

• The person responsible for the direct or delegated execution of the Committee's decisions.

The Information Security Officer will transfer to the ASCIRES Data Protection and Information Security Committee those aspects that have been discussed with the Security Officer when they must be managed jointly with the City Council.

8.5     HIERARCHY IN THE DECISION-MAKING PROCESS

The hierarchy of roles is described as follows:

• The Data Protection and Information Security Committee gives instructions to the Information Security Officer who is responsible for complying with, supervising that administrators and operators implement the security measures as established in this policy security.

• The Security Administrator will report to the System Manager:
  • Incidents related to system security.
  • Configuration, update or correction actions.

• The System Manager informs the Information Manager of functional incidents related to information. The System Manager reports to the Security Manager:
  • Security actions
  • Consolidated summary of security incidents
  • Effectiveness measures of the protection measures to be implemented

• The Information Security Manager reports:
  • The Information Manager of security decisions and incidents that affect the information that is his/her responsibility, in particular the residual risk estimate and significant risk deviations from the approved margins.
  • The Service Manager of security decisions and incidents that affect the service, in particular the residual risk estimate and significant risk deviations from the approved margins. approved.

• The Information Security Officer reports to the Data Protection and Information Security Committee as secretary:
  • Consolidated summary of actions in the area of ​​security.
  • Consolidated summary of incidents related to information security.
  • Status of system security, in particular the residual risk to which the system is exposed.

The Information Security Officer reports to the Management of the organization, as agreed in the Data Protection and Information Security Committee.

The vote or decision of the Information Security Officer will prevail in the event of a tie in the decisions taken by the other members of the Data Protection and Information Security Committee. Information.

8.6     SECURITY ORGANIZATION CHART 

9 RISK MANAGEMENT

9.1 JUSTIFICATION

All systems subject to this Policy must perform a risk analysis, assessing the threats and risks to which they are exposed.

ASCIRES periodically and continuously performs a risk analysis of the threats that affect information security.

The risk analysis is performed through an inherent risk map, in which the gross risks existing before the application of prevention, detection and mitigation controls are assessed, and through a residual risk map, in which the net risks existing after the application of controls are assessed.

The risk analysis will be the basis for determining the security measures that must be adopted in addition to the minimums established by the National Security Scheme, as provided for in Article 7 9.2 RISK ASSESSMENT CRITERIA

In order to harmonize risk analyses, the Data Protection and Information Security Committee will establish a reference assessment for the different types of information handled and the different services provided.

The detailed risk assessment criteria will be specified in the risk assessment methodology that ASCIRES will develop, based on recognized standards and good practices.

At least, all risks that may seriously impede the provision of services or the fulfillment of ASCIRES' mission must be addressed.

Special priority will be given to risks that imply a cessation of the provision of services to citizens.

9.3 RISK COMMUNICATION

At all levels of ASCIRES, there will be an obligation to immediately communicate the information security risks that are being handled. identify.

These risks will be communicated through the channels that ASCIRES has enabled to communicate any type of threat to people, assets or regulatory compliance.

9.4 NEED TO CARRY OUT OR UPDATE RISK ASSESSMENTS

Risk analysis and its treatment must be a regularly repeated activity, as established in Article 10 of the ENS. This analysis will be repeated:

• Regularly, at least once a year.

• When significant changes occur in the information handled.

• When significant changes occur in the services provided.

• When significant changes occur in the systems that process information and intervene in the provision of services.

• When a serious security incident occurs.

• When serious vulnerabilities are reported.

10 PERSONAL DATA PROTECTION

ASCIRES processes personal data. The Register of Processing Activities, which will only be accessible to authorized persons, includes the affected processing and the corresponding controllers.

All ASCIRES information systems will comply with the security required by the regulations on personal data protection in accordance with the risk analysis carried out for the nature and purpose of the personal data collected in the Register of Processing Activities of the organization.

11 SECURITY INCIDENT MANAGEMENT

11.1 INCIDENT PREVENTION

The areas that make up ASCIRES must avoid, or at least prevent as far as possible, that the information or services are harmed by security incidents.

To do this, the areas that make up ASCIRES must implement the minimum security measures determined by the ENS, as well as any additional control identified through a threat and risk assessment.

These controls, and the security roles and responsibilities of all personnel, should be clearly defined and documented.

To ensure compliance with the policy, areas or departments should:

• Authorize systems before they go into operation.

• Regularly assess security, including assessments of routinely made configuration changes.

• Request periodic review by third parties in order to obtain an independent assessment.

11.2 MONITORING AND INCIDENT DETECTION

Since services can be rapidly degraded by incidents, ranging from a decrease to a cessation of the level of provision, services should continuously monitor the operation to detect anomalies in the levels of service provision and act accordingly.

Training may be based on face-to-face sessions or e-Learning courses. This training may be based on any type of communication and training material and instruments that allow awareness of criminal risks at all levels of ASCIRES.

ASCIRES will perform the following functions in terms of training and awareness:

1. It will prepare a training and awareness plan each year

• It will monitor its execution

• It will evaluate its results

• It will ensure the traceability of the sessions given

• It will obtain evidence with time stamping of the sessions given.

Compliance with this Security Policy is mandatory for all internal or external personnel involved in ASCIRES processes, with the consequences of non-compliance with the Security Policy being those established in the regulations in force in each country. moment.

14 THIRD PARTIES

When services are provided or information is managed for other organizations, they will be made aware of this Information Security Policy, which is published on the ASCIRES website and headquarters. Channels will be established for reporting and coordination of the respective Security Committees and procedures will be established for action to react to security incidents.

When third-party services are used or information is transferred to third parties, they will be made aware of this Security Policy and the Security Regulations that apply to said services or information. Said third party will be subject to the obligations established in said regulations, and may develop its own operating procedures to satisfy them.

Specific procedures for reporting and resolving incidents will be established.

When any aspect of the Policy cannot be satisfied by a third party as required in the previous paragraphs, a report will be required from the Security Manager specifying the risks incurred and how to deal with them. Approval of this report by those responsible for the information and services affected will be required before proceeding.

In addition to the legal requirements regarding security, ASCIRES is also obliged to comply with the specific security requirements demanded by its clients and suppliers in relation to the information they access by virtue of their contractual relationships with them.

ASCIRES will create and maintain an updated map of contractual obligations in which the obligations related to the security of the confidential information and personal data it accesses or processes will be identified and prioritised.

It will be ensured that third-party personnel are adequately aware of security, at least at the same level as that established in this Policy.

ASCIRES will periodically check that the contractual obligations assumed in terms of security are integrated into this security policy or into the rules and procedures that develop it. Otherwise, this integration will be carried out.

15 REVIEW AND APPROVAL OF THE POLICY

This document has been approved on 10/01/2023.

This Information Security Policy is effective from that date and until it is replaced by a new Policy.

It will be reviewed by the Security Officer at planned intervals, which may not exceed one year in duration, or whenever significant changes occur, in order to ensure that its suitability, adequacy and effectiveness are maintained.

Changes to the Information Security Policy must be approved by the corresponding competent higher body, in accordance with article 13 of the ENS.

Any changes to it must be disseminated to all parties affected.

16 ANNEX A. GLOSSARY OF TERMS

• Risk analysis: Systematic use of available information to identify hazards and estimate risks.
• Personal data: Any information concerning identified or identifiable natural persons. Organic Law 3/2018 on the Protection of Personal Data and Guarantee of Digital Rights and Regulation (EU) 679/2016.
• Incident management: Action plan to deal with any incidents that occur. In addition to resolving them, it must incorporate performance measures that make it possible to understand the quality of the protection system and detect trends before they become major problems. ENS.
• Risk management: Coordinated activities to direct and control